14 DAY TRIAL // An oil company settled with its bank for $350,000 (€257,000) after suing it for failing to provide commercially reasonable security measures for protecting the funds.
Back in 2011, TRC Operating Co. Inc., an oil company in California, had about $3.5 million (€2.575 million) in its bank account sacked as a result of the banking credentials falling in the hands of cybercriminals.KrebsonSecurity reports that the crooks initiated multiple wire transfers in order to ship the money into Ukrainian bank accounts; however, the bank (United Security Bank) managed to prevent the heist, although not in its entirety leaving $299,000 (€220,000) secured in the offshore account.
“Under California law, the most that any business can recover from a cyber fraud lawsuit is the amount stolen from its accounts - plus interest,” Krebs says.
The success of the hackers was due to a phishing attack that found its victim in an employee of the oil company. He fell for the lure in an email message and infected the computer with malware that deployed a web inject.
This method involves injecting code into a web page of a bank targeted by the cybercriminal and adding new fields for the victim to fill with sensitive detail; this information is generally required by the bank for verification purposes and can be used to make different settings in the account.
It appears that TRC had good chances to win the lawsuit because the bank did not provide much protection aside from the log in credentials for the account and the system breach was not proven.
The Uniform Commercial Code (UCC) allows banks an exemption from liability in cases of online account takeover if security practices are deemed commercially reasonable. In this case they weren’t as the attorney representing TRC said that the company “had a cash management liaison assigned to them by the bank who assured them that this was all safe and reliable.”
In a different case, the victim of the fraud lost the lawsuit against the bank, which was allowed to seek recovery of attorney fees because the recommended practices for wire transfer were disregarded.
The victim did not adopt the dual-control procedure as instructed by the bank and did not impose an upper limit to the wire transfers, as it seems to have been the case with TRC, since the cybercriminals attempted to empty the account in multiple steps.
As far as businesses are concerned, banks apply a different policy in terms of protecting the funds than in the case of consumers, who enjoy more privileges.
The security of the financial assets is a responsibility shared by both the business and the bank, and they have to reach a common agreement to the protective measures that can be imposed so that the activity of neither is hindered.